15 votes

Git ransom campaign incident report—Atlassian Bitbucket, GitHub, GitLab

4 comments

  1. [3]
    balooga Link
    That's a frighteningly big, coordinated attack. Good response from the providers. Fortunately it doesn't look like any ransoms were paid to that bitcoin address, assuming the one in the article is...

    That's a frighteningly big, coordinated attack. Good response from the providers. Fortunately it doesn't look like any ransoms were paid to that bitcoin address, assuming the one in the article is the same singular address requesting payment.

    I'm not sure I understand the logic behind the attack. The thing that makes ransomware so effective is that the victims no longer have access to their data. But this is git; every dev in the company should have a copy of (at least part of) the repo. It might be a bit of an inconvenience to reassemble a new replacement origin repo, but nothing should be lost. I guess the real threat is more akin to blackmail, that if the money isn't paid the attacker will leak source code or other secrets. This should be treated more like a data breach than a ransomware attack, I think.

    9 votes
    1. cadadr Link Parent
      Well you have your issues, milestones, pull requests, CI setup, ACLs, etc. Also, there are many supposed "package managers" that just pull stuff from random git repos here and there, without a...

      I'm not sure I understand the logic behind the attack. The thing that makes ransomware so effective is that the victims no longer have access to their data. But this is git; every dev in the company should have a copy of (at least part of) the repo.

      Well you have your issues, milestones, pull requests, CI setup, ACLs, etc. Also, there are many supposed "package managers" that just pull stuff from random git repos here and there, without a hint of vetting or testing; these could be the source of a malware attack because many people just blindly downloading from these repos. And there are languages out there like Golang where the URL to a package is significant when programming, so it may potentially be a PITA to deal with this. These accounts (especially Github) are used for OpenID, to log in to many services, so they are compromised too. And then there is the whole question of private repos.

      7 votes
    2. Diff Link Parent
      That's probably why the main thing they're threatening is "If you don't pay us, we'll leak it" instead of "If you don't pay us, we'll destroy it."

      I'm not sure I understand the logic behind the attack. The thing that makes ransomware so effective is that the victims no longer have access to their data. But this is git; every dev in the company should have a copy of (at least part of) the repo. It might be a bit of an inconvenience to reassemble a new replacement origin repo, but nothing should be lost. I guess the real threat is more akin to blackmail, that if the money isn't paid the attacker will leak source code or other secrets. This should be treated more like a data breach than a ransomware attack, I think.

      That's probably why the main thing they're threatening is "If you don't pay us, we'll leak it" instead of "If you don't pay us, we'll destroy it."

  2. Somebody Link
    This is why we can't have nice things.

    This is why we can't have nice things.